deaddrop requirements

Some of the configuration parameters must be delivered to sysctl before a deaddrop appliance can be built and delivered. After the delivery of an appliance additional configuration must be applied.

deaddrop appliance requirements before delivery

The following information is required before an appliance server can be built

Appliance server type

Virtual appliance or a physical appliance
Server specification (see server-spec.pdf document)

Virtual server

Virtualization technology
Version of virtualization software
Can you receive qcow2 harddrive yes/no?
Support for UEFI yes/no?
Desired disk size

IP configuration

ip address (ipv4 and/or ipv6)
netmask (ipv4 and/or ipv6)
default gateway (ipv4 and/or ipv6)

DNS configuration

hostname (ie. deaddrop)
fqdn (ie. deaddrop.sysctl.se)

SMS configuration

desired SMS solution (ie. GSM-modem or SMS-gateway provider)
- GSM modem
- 46elks
- Beepsend
- Bosbec
- Clickatell
- Link Mobility
- Sergel
- Telia Telemat
- Twilio
- Tele2

Email configuration

mailbox for administrators (ie. system mail, ie hardware failures, malware detection etc)
mail address to use as sender address from deaddrop to end users (ie “you have received a protected file”)

Password policy

minimum password length
complexity (capital letters, lower case, number, special characters)
sms password (character list)
sms password length

Other configurations

user session timeout time
internal service desk support number
internal service desk support email
maximum size of files that is allowed for upload

Onsite preparation

The following must be ready during delivery

Contact person

One person on site that is able to give access to the console on the delivered appliance.

External firewall

The following is the minimal network connection requirements, relating to firewall rules and opening of UDP and TCP ports, that deaddrop needs to work properly.

inbound from internet (access to deaddrop service)

80/TCP
443/TCP

inbound from administrative network or similar

8443/TCP

outbound to dmz or similar (DNS server[s])

53 TCP/UDP

outbound to desired NTP server(s)

123/UDP

outbound to desired SMTP relay

25/TCP

outbound connection to updates.sysctl.se (software updates, system patches, AV updates)

TCP/443

It is extremely important that the interface used for administration (web via 8443/TCP) is only exposed towards an administrative network, not outward to the internet.

Additional firewall rules may be needed when integrating to other services (ie SMS gateway or external log server). An SMS gateway provider often allows for connections via HTTPS, so explicit outbound HTTPS connection to the specific provider needs to be added to the firewall.

For explanation about network connections see deaddrop-net document.

DNS

For correct DNS setup, at least the following information is needed:

An A record in DNS for FQDN
A PTR record for IPv4 and/or IPv6 address

SMS

For correct SMS setup, at least one of the following choices needs to be completely configured:

GSM modem
- sim card
- pin code to sim card
SMS gateway
- username
- password
- additional tokens

CA

Access to an account (or personnel that has access to account) that can issue x509 certificates from a webtrust PKI.

Process

All password and secrets will be created or changed onsite during the installation time, please be prepared to handle the new passwords.

After delivery requirements

Contact persons

A email address to a person or group account which information about updates and similar information can be sent to
If the API is used, a email address to a person or group account which information about planned changed in the API can be sent to
If sysctl are handling software updates, a contact person to request service windows
If sysctl are handling software updates, a fixed service window when possible